Browse Prior Art Database

System, method and apparatus for human integration into multi factor authentication

IP.com Disclosure Number: IPCOM000215793D
Publication Date: 2012-Mar-12
Document File: 2 page(s) / 20K

Publishing Venue

The IP.com Prior Art Database

Abstract

Authentication is the most security sensitive part of the application. The authentication controls serve as a gate to the application and if the attacker succeeds to penetrate it he is basically given the "keys to the kingdom" and may do whatever he likes to the application. Because of the importance of this part the attackers developed quite a few ways to get illegitimate access to the applications. The arsenal of methods that targets authentication is quite big and contains: phishing, keystrokes recording malware, brute force attacks, SQLi that bypasses authentication and others.The main problem with the authentication is that it is automated and so it is predictable and therefore by learning how it works it is possible to find a method to bypass it. In certain cases the organization can't take a risk that somebody unauthorized may break into the application in a known or unknown way. This includes military applications, remote control and management of the big factories, air traffic control applications and others. For this kind of applications there is a need to find a new way to defend the application and this is what our invention suggests.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 01 of 2

method and apparatus for human integration into multi factor authentication

method and apparatus for human integration into multi factor authentication

In our invention we suggest a method as well as the system for including human interaction in the applications for the purpose of authentication and authorization. In general it works like this. The customer logs in into the application and then he has a pop up with a chat service. The human on the other side starts interrogating a client and once he verifies that the person is really the one who he claims to be he opens an application and creates a session between the client and the application.

The usual authentication process in application (web for example) works in a

following way. The user presents its credentials for example with the user name and password and then the server, once it authenticates the client, creates a session. In a

web the session is sometimes associated via HTTP cookie , but it might also have different session variables which are created post authentication. In multi factor authentication the user needs to go over several authentication layers. There are multiple ways and reasons why they are in use and implemented they way they are, but mostly this is done to increase the overall security level of the application. What we suggest in our invention is to use an additional authentication layer which is based on human interrogation process. The interrogation (or questioning) can be done using an integrated human collaboration tool and it works in a following way:
The user performs an authentication using for example his user name and password.

After this step ends successfully the application allocates a token (HTTP cookie for web sessions) and the user gets into the page where he will go through the questioning. At

System, ,

this point the user is still unable to perform any actions in the application.

    In a questioning page he will get an Instant Questioning screen. The Instant Questing can be based on instant messaging application, and may contain messaging,

web camera, audio and other means. The other side in the Instant Que...